tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Prefer pkgsrc OpenSSL after 2016Q1.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10.03.2016 00:05, J. Lewis Muir wrote:
> On 3/9/16 4:45 PM, Kamil Rytarowski wrote:
>> Please check the dates of the most recent advisories: 
>> http://netbsd.org/support/security/
>> 
>> The latest advisory is from 2015.
>> 
>> Please see for example this page for the latest stable release: 
>> http://netbsd.org/support/security/patches-7.0.html
>> 
>> "NetBSD 7.0 Security Advisories
>> 
>> Below is the list of advisories applicable to the NetBSD 7.0
>> release:
>> 
>> Nothing thus far"
> 
> NetBSD 7 was released on September 25, 2015.  Looking for all
> security advisories sent to the security-announce mailing list
> since then finds just one:
> 
> http://mail-index.netbsd.org/security-announce/2015/10/22/msg000108.ht
ml
>
>  And in it, it says
> 
> === Version:	NetBSD-current:		source prior to Mon, Jul 24th 2015 
> NetBSD 7.0: 		not affected NetBSD 6.1 - 6.1.5:	affected NetBSD 6.0
> - 6.0.6: 	affected NetBSD 5.2 - 5.2.3: 	affected NetBSD 5.1 -
> 5.1.5: 	affected ===
> 
> That tells me that NetBSD 7 was no affected, so that makes me
> believe that the "Nothing thus far" at
> 
> http://netbsd.org/support/security/patches-7.0.html
> 
> is correct.
> 
> Are there security advisories you know of that were not sent to
> the security-announce mailing list?
> 

No, and this is the point that there aren't any as you said. While
pointing out issues with openssl or openssl for 7.0 is simple for a
person now involved in tracking security issues.

This is the reason why pkgsrc comes to mind. At least things will get
updated quarterly.

>> This is why I formulated it by not active field, while users do
>> check these pages and they are worried. I'm not a person in
>> security team I cannot point them any actions taken off-hand -
>> for example for DROWN.
> 
> I've seen no indication that the security team is dropping the
> ball.  To my knowledge they've done a good job.
> 
>> Answer to pick-up -current isn't appropriate for everybody.
> 
> Agreed.
> 
> Regards,
> 
> Lewis
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJW4K/hAAoJEEuzCOmwLnZsO5IQALbfak0hkA0F9j7R8kaICGnQ
NTvktQc4TdaoGwRtnQ7idzqF7O/YCNKOsDgZkdecrJsIwdL5rRR5KmcAW6cIY5RM
sfweS8d6TI5C05Y1x0dDF+busKyi2OVt02E89GAKMBBS4qkG4P2k4Gx7BySYol9B
pBpt5LhYJ+Zaz91hLeU2D2RGIyuKQ3hwB2W+oWufwRawru2PZ/gIsW6TQoNJcJva
cQELNz97A+rfR1xGT0hZ0PhL2cC707RHX5t3FSJFHQYKqlqV0+OmwV9oASvos7iw
HTxXhaCHrOWAtS4dyp7uQ9vlI6foBvszZFQGwe+PqFcdpYEYpsH5kqN5q+CIHgtp
EOqAHh6aaZE5YYRNyC6E9Ta7N2BRWmg9vs5H9FoeA+qKIURSdpId5IkFb0cOHaZs
ZFB5FwUS+gTvO6zVf4TWzRDx7yzGvDMA1tPF8DCOAsXiUSj0JKj4e2YzsQmDLDFB
g99fdDPvGcIGfb5gPN2xyLnqTcRl0b4S2Rv4ZoCYx8UXDCZP8MUbKMbkq5XNsldn
pLu4kA9s3pVepQZd77+P3nveTfI5iJUc5lx1fhBWL1dACT4KYf6qfjkl+vjmw+cD
RnJ1V/RElY7H4yE0wO2wlKyLjr+PpmhuO3Ce1yiWWfCH38WooPOZjZVTIrfRYCLA
JKxkQVdzGUtMinEb2d01
=kNDV
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index